[LukasReschke]

How else would you phrase someone telling you "I have this bug and will exploit it if you don't pay me X amount" vs. "I think the impact is bigger because of Y"? For me, the first sounds quite clearly like extortion.

The first case would get you likely in trouble. The second case would routinely cause a further review in any decent program, and if there's any merit to it, you get a higher bounty.

Nobody is forced to participate in any bug bounty program. If people feel the reward is too low, they should not partake.

[TheRealSteel]

False dichotomy, they aren't threatening to exploit it, they simply won't give details of the exploit if they aren't paid.

[LukasReschke]

I'd advise anyone against trying that for a system not owned by them. (e.g., someone's else website)

As soon as you do that, you venture into dangerous territory. Companies are required to investigate claims of breaches seriously. And as soon as something like this is escalated, it may be out of the Information Security team's hands to decide the next steps.

[deeviant]

> How else would you phrase someone telling you "I have this bug and will exploit it if you don't pay me X amount"

Hello Strawman!

> The second case would routinely cause a further review in any decent program

We literally just read a example of how a big corp responds to #2. Do you think it was a 1 of?

[LukasReschke]

I was part of "big corp" for the past three years and was involved in many bug bounty reports. A reasonable claim like "I think this should be higher because XYZ" gets investigated and, if justified, higher bounties issued.

This blog post seems a bit one-sided and doesn't correlate to the facts that I have heard. I wasn't there at the time being so I don't know the truth. But that blog post seems not quite 100% to be it.

What I have seen, however, in the past years, is that some people omit facts or misrepresent things to get some press. So I am quite a cynic on blog posts like this :-)

[albntomat0]

> A reasonable claim like "I think this should be higher because XYZ" gets investigated and, if justified, higher bounties issued.

That's highly dependent on the individuals and the company doing the bounty. It's incredibly reasonable that people are suspicious of the process, when it is opaque as it is, and the disparity in negotiating power being the company and the person submitting the bug.

My personal experience is the FB bug bounty process has been generally positive, but inconsistent at times in the graded severity of issues and transparency of the decisions being made. I've clearly presented my case, and asked for additional information, but not gotten very far. My only real option in response is in how I allocate my time.

Having reports and payout amounts be permanently hidden results in stories like this being the only insight to the process.

[HotHotLava]

Well, it includes verbatim copies of the whole email chain, and those are looking pretty bad in itself without any of the surrounding text.

Unless you're saying they've been tampered with, or that there was additional communication in between that he omitted, it seems pretty clear that this is not a professional way to handle communications.